Interviews, insight & analysis on digital media & marketing

Now is the time to start thinking about long-term user privacy

The advertising industry is changing again, and as browsers and regulators clamp down on user privacy, publications that are not privacy-first will struggle.

By Jane Usoskina, product owner at Permutive

In the 90s, with the creation of the internet, publishers had to quickly adapt to a new world, in which individuals read the news online, all day. New media companies emerged, a lot of established publications died, and with the help of online advertising, the publishing world found a new status quo. 

The conviction that information should be free led to the birth of our advertising data industry, where, effectively, the user is paying for access with their personal information. 

But the industry is now going through another shift – while advertising still powers the free internet, it must do so while maintaining an individual’s privacy. Most critically, those technologies that don’t… will soon stop working.

Targeted advertising is predominantly delivered and controlled by data aggregators in the industry. A data aggregator would follow a user across the web, across multiple publishers, and build segments based on their behaviour. Every user would be given a third-party identifier, and an advertiser would acquire a list of IDs for a particular segment for targeting.

Does this model compromise privacy? 

Arguably, as a user, you should have the right to know where your data is going,  and that information about you is being traded on the internet. Having a few pieces of information shared with aggregators may not be an issue, but once a lot of data points can be combined to uniquely identify an individual, this can become problematic – especially when the user does not know where that data is going. 

For example, notice how adding each piece of information narrows down a pool of eligible individuals: someone who is looking for a new computer, likes football, is aged 25-30, lives in central London is subscribed to a certain magazine, is browsing from an iPhone… Adding more data points narrows the individual down further and further.

Last year, the ICO (Information Commissioner’s Office) ran an investigation into Real Time Bidding privacy and identified a number of issues, including the fact that privacy notices to individuals lack clarity, and tech participants are, in essence, processing too much data. It said:“It is unclear whether RTB participants have fully established what data needs to be processed in order to achieve the intended outcome of targeted advertising to individuals. The complex nature of the ecosystem means that in our view participants are engaging with it without fully understanding the privacy and ethical issues involved.”

The end of privacy workarounds

It is not only the ICO investigating this, but browsers themselves are enforcing a user privacy-centric approach. Safari and Firefox were the first to remove third-party cookies in trackers, and Chrome is following suit in early 2021. Workarounds attempted by the industry, such as fingerprinting (collecting enough data points about your device, like browser and system version, time settings, fonts, plugins etc to uniquely identify a user.) and third party domain CNAMEing, are being blocked. 

At this point, the industry trajectory is clear in showing us that ignoring user privacy is no longer an option for technology vendors. This puts publishers in a great position to help their users maintain their privacy by once again taking control of the individual’s data from aggregators, back from where it was generated in the first place. 

The best way to do that is to keep user privacy at the forefront of all decision making, whether around what technology to deploy on the site, or how to monetise traffic. 

A few things to help with these are:

  • Only share the data points necessary for a transaction. Just as GDPR requires you to only process as much data as necessary to accomplish a task, you should apply the same principle to sharing data. This will benefit both the value of your data (if you keep it, you have control over it), and the privacy of your users.
  • Avoid sending user IDs to other vendors, where possible. Be mindful that vendors may already hold some data on your users. By not sharing the user IDs unnecessarily, you can ensure that the user’s data from your site will not be linked to their other data unnecessarily, thus preserving their privacy.
  • Always consider the short term benefit against the long-term privacy consequences. When evaluating technology vendors, make sure their vision aligns with your privacy goals. Non-privacy compliant solutions are highly unlikely to work for the long term, and are often not worth risking your users’ privacy in the short term either.
  • Follow industry developments, such as Chrome Privacy Sandbox and Apple’s Webkit Tracking Prevention. You have a great opportunity in front of you to take control of your data, together with your users. Stay on top of industry developments to make sure you are technically prepared for the new privacy-first world. 

These are not just nice-to-have at this point. They are a must if you want to survive in the new era that values user privacy.